Vulnerability Details CVE-2022-23652
capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. In versions prior to 0.2.1 an attacker with a proper authentication mechanism may use a malicious `Connection` header to start a privilege escalation attack towards the Kubernetes API Server. This vulnerability allows for an exploit of the `cluster-admin` Role bound to `capsule-proxy`. There are no known workarounds for this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 57.8%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
- https://github.com/clastix/capsule-proxy/commit/efe91f68ebf8a9e3d21491dc57da7b8a746415d8
- https://github.com/clastix/capsule-proxy/issues/188
- https://github.com/clastix/capsule-proxy/security/advisories/GHSA-9cwv-cppx-mqjm
- https://github.com/clastix/capsule-proxy/commit/efe91f68ebf8a9e3d21491dc57da7b8a746415d8
- https://github.com/clastix/capsule-proxy/issues/188
- https://github.com/clastix/capsule-proxy/security/advisories/GHSA-9cwv-cppx-mqjm
Products affected by CVE-2022-23652
-
cpe:2.3:a:clastix:capsule-proxy:-
-
cpe:2.3:a:clastix:capsule-proxy:0.0.1
-
cpe:2.3:a:clastix:capsule-proxy:0.0.2
-
cpe:2.3:a:clastix:capsule-proxy:0.0.3
-
cpe:2.3:a:clastix:capsule-proxy:0.0.4
-
cpe:2.3:a:clastix:capsule-proxy:0.0.5
-
cpe:2.3:a:clastix:capsule-proxy:0.1.0
-
cpe:2.3:a:clastix:capsule-proxy:0.1.1
-
cpe:2.3:a:clastix:capsule-proxy:0.2.0